Stern words and stiff fine from UK regulator after Uber displayed “complete disregard” for customers and drivers
A data breach cover-up by taxi hailing giant Uber has cost the firm even more money after stiff fines by two European regulators.
The British and Dutch data protection regulators concluded their investigations and slapped the firm with fines totalling over a $1 million.
It comes after Uber admitted in September that it also would pay $148m (£113m) in order to settle legal action over the cyber-attack in October 2016, which exposed data from 58 million customers and drivers.
It is understood that no financial details or journey records were taken by the hacker, who was paid $100,000 to delete the files, but some personal information was stolen and there were no guarantees the data was actually destroyed.
Uber reportedly used its so-called “bug bounty” program (normally used to identify small code vulnerabilities), to pay off the hacker (said to be an unidentified 20-year-old man in Florida).
Uber came clean about the incident in November 2017, after new CEO Dara Khosrowshahi said he only became aware of the breach recently. Khosrowshahi had only joined the company earlier in 2017 and said the company was working with the authorities.
Read More: What on Earth was Uber thinking?
But the admission prompted an investigation by European authorities and the Information Commissioner’s Office (ICO) fined the company 385,000 pounds ($490,760), while the Dutch Data Protection Authority (DPA) slapped Uber with a 600,000 euro ($678,780) fine.
“The records of almost 82,000 drivers based in the UK – which included details of journeys made and how much they were paid – were also taken during the incident in October and November 2016,” the ICO said in its ruling.
“A series of avoidable data security flaws allowed the personal details of around 2.7million UK customers to be accessed and downloaded by attackers from a cloud-based storage system operated by Uber’s US parent company,” it added. “This included full names, email addresses and phone numbers.”
“However, the customers and drivers affected were not told about the incident for more than a year,” it said. “Instead, Uber paid the attackers responsible $100,000 to destroy the data they had downloaded.”
“This was not only a serious failure of data security on Uber’s part, but a complete disregard for the customers and drivers whose personal information was stolen,” said ICO Director of Investigations Steve Eckersley.
“At the time, no steps were taken to inform anyone affected by the breach, or to offer help and support. That left them vulnerable,” he added. “Paying the attackers and then keeping quiet about it afterwards was not, in our view, an appropriate response to the cyber attack.”
“Although there was no legal duty to report data breaches under the old legislation, Uber’s poor data protection practices and subsequent decisions and conduct were likely to have compounded the distress of those affected,” he added.
Can you protect your privacy online? Take our quiz!